Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Singularity

Singularity is a Linux kernel rootkit targeting Linux kernel 6.x systems. The provided content describes it as a modern LKM-based rootkit created by MatheuZSecurity that uses ftrace-based hooks to intercept kernel functionality, including SysRq diagnostic paths, in order to hide processes from kernel ring buffer dumps. It is explicitly described as using a load_and_persistence.sh script that ultimately loads its kernel module with insmod, and as establishing persistence by creating a configuration file under /etc/modules-load.d/. The content also notes suggested deployment from /dev/shm.

High-confidence capabilities described in the content include process hiding, file concealment, network stealth, privilege escalation to root, real-time log filtering and sanitization, blocking eBPF-based monitoring, disabling io_uring protections, preventing legitimate kernel module loading, and intercepting attempts to disable ftrace. It is also described as monitoring more than 15 sensitive syscalls related to file I/O and returning false success while blocking execution. The rootkit reportedly clears the kernel tainted_mask to reduce detection of unauthorized kernel modifications and filters forensic keywords such as taint, journal, and kallsyms_lookup_name from logs. A Kyntra blog post specifically states that Singularity intercepts SysRq diagnostic paths to hide processes from kernel ring buffer dumps.

The content further attributes remote access functionality to Singularity via an ICMP-triggered reverse shell, with child processes inheriting hiding properties. It is described as compatible with x64 and ia32 architectures and as bypassing common Linux rootkit detection tools including unhide, chkrootkit, and rkhunter. Mentioned indicators and artifacts include the use of a .ko kernel module loaded via insmod, persistence under /etc/modules-load.d/, execution from /dev/shm, and log-clearing behavior including attempts to clear logs via journalctl.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1590Gather Victim Network InformationEvidence1

Knowing the local IP address allows attackers to perform targeted DNS rebinding attacks without the need to know or guess the victim’s network IP range. Singularity includes IP address and network range detection functionality by abusing WebRTC...

Persistence

1 technique
T1547.006Kernel Modules and ExtensionsEvidence1

Loading an LKM manually typically requires using built-in command-line utilities such as modprobe, insmod, and kmod... Effective detection should therefore focus on tracing these syscalls directly, rather than the tooling that invokes them.

Privilege Escalation

1 technique
T1547.006Kernel Modules and ExtensionsEvidence1

Loading an LKM manually typically requires using built-in command-line utilities such as modprobe, insmod, and kmod... Effective detection should therefore focus on tracing these syscalls directly, rather than the tooling that invokes them.

Stealth

2 techniques
T1070.002Clear Linux or Mac System LogsEvidence1

Or clear the kernel message buffer through dmesg... Another means of clearing these logs is by using journalctl... This is a technique that was used by Singularity.

T1564Hide ArtifactsEvidence1

"...to hide processes from kernel ring buffer dumps"

Discovery

1 technique
T1046Network Service DiscoveryEvidence1

Singularity includes a browser based JavaScript port scanner to discover HTTP services accessible from the victim’s host, including internal networks, and to launch DNS rebinding attacks in an automated manner.

Collection

1 technique
T1185Browser Session HijackingEvidence1

This update documents the state of DNS rebinding for April 2023... While Local Network Access makes it harder, it is still possible to execute DNS rebinding attacks.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 years ago
domain●●●●●●●●●●●●View more in app3 years ago
domain●●●●●●●●●●●●View more in app3 years ago
ip.v4●●●●●●●●●●●●View more in app3 years ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
elastic security labsNews
Apr 2, 2026
Hooked on Linux: Rootkit Detection Engineering - Elastic Security Labs

A Linux rootkit that relies on built-in LKM-loading utilities, sets up persistence via modules-load.d, and is discussed for stealthy deployment from /dev/shm and log-clearing behavior.

Read more
elastic security labsNews
Mar 1, 2026
Hooked on Linux: Rootkit Taxonomy, Hooking Techniques and Tradecraft - Elastic Security Labs

Linux rootkit referenced as abusing ftrace to implement stealthy kernel function hooking.

Read more
ctoatncsc substackNews
Feb 28, 2026
CTO at NCSC Summary: week ending March 1st

Linux kernel module rootkit targeting Linux 6.x; hooks/intercepts Magic SysRq task dump paths (scheduler/OOM reporting) to hide activity from incident responders relying on kernel log output.

Read more
cyber security newsNews
Dec 17, 2025
Singularity Linux Kernel Rootkit with New Feature Prevents Detection

Singularity is an advanced Linux kernel rootkit (LKM) that provides attackers with stealthy, persistent, and comprehensive control over compromised systems. It hides processes, files, and network connections, escalates privileges, and evades detection by modern security tools, including EDR and forensic analysis. It leverages ftrace hooking, blocks eBPF monitoring, disables io_uring protections, and prevents legitimate kernel module loading. It also provides a remote ICMP-triggered reverse shell and aggressively sanitizes logs and kernel taint indicators.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.